Setting up SSL for the Web Application with Apache - Micetro - 25.2.0

Micetro Installation Guide
ft:locale
en-US
Product name
Micetro
Version
25.2.0

By default, your site is configured for HTTP on port 80 only. We strongly recommend that you redirect HTTP traffic to HTTPS in order to prevent security breaches and protect sensitive information, e.g., application credentials, from being intercepted. This also improves your site's compatibility with modern browsers.

Note: Make sure that certificates include a Subject Alternative Name (SAN) so that web browsers mark the site as secure

We recommend that you set up a secure sockets layer (SSL) for the Web Application and follow the best practices for your web server to make sure that everything is in order and up-to-date. The following instructions guide you through configuring the SSL certificate with Apache.

There are two approaches you can take to set up SSL and redirect HTTP traffic to HTTPS.

1. Using a certbot

  1. Use the Let’s Encrypt certbot, which issues free, automated certificates.
    Note: We recommend moving mmweb.conf to sites-available before running the certbot.
  2. Run the following commands based on your operating system:
    • Debian/Ubuntu:
      sudo apt install certbot python3-certbot-apache
sudo certbot --apache
    • RHEL/CentOS:
      sudo dnf install certbot python3-certbot-apache
sudo certbot --apache

    This will request a certificate, update your Apache config, and set up automatic renewal.

2. Configuring SSL manually

  1. Generate or import your own certificates. You can use the Mozilla SSL Configuration Generator to create a hardened Apache SSL configuration snippet tailored to your Micetro version.
  2. After you download the configuration, make sure to add all the configuration from the <VirtualHost *:80> section in the mmweb.conf file into the new configuration's <VirtualHost *:443> section.

    For more information about VirtualHost directions, refer to the Apache documentation.

Note: After enabling HTTPS, make sure that HTTP (port 80) is redirected to HTTPS (port 443) for the best security. We also recommend adding the Strict-Transport-Security HTTP header configuration.

By default, the ProxyPass configuration for the web services in conf/mmws.conf is globally defined, i.e., for all sites. If you only want to use ProxyPass for a single Micetro site, you can move the configuration in mmws.conf into the <VirtualHost> statement. Remember to comment out or remove the include from the main configuration file.

To verify the Web Application is accessible, navigate to https://web-application.domain.tld. The Web Application login should be displayed.

For more information about setting up SSL, refer to the Apache documentation on TLS/SSL Encryption.

For information about improving the security of Apache servers running Debian, refer to the Debian documentation on Apache Hardening.

Enabling content compression for Apache

To speed up response time for large operations, add the following line to mmws.conf:

 AddOutputFilterByType DEFLATE application/json